The TikTok Android app harbored a critical flaw that criminals could have exploited to hijack user accounts, Microsoft researchers have discovered.
The vulnerability involved using a crafted URL to bypass the app’s deeplink verification mechanism and force the app’s WebView component to load an arbitrary URL.
Despite the vulnerability’s tremendous destructive potential, Microsoft has no evidence that criminals have actually used it to carry out any attacks.
“The vulnerability, which would have required several issues to be chained together to exploit, has been fixed and we did not locate any evidence of in-the-wild exploitation,” reads Microsoft’s security advisory. “Attackers could have leveraged the vulnerability to hijack an account without users’ awareness if a targeted user simply clicked a specially crafted link. Attackers could have then accessed and modified users’ TikTok profiles and sensitive information, such as by publicizing private videos, sending messages, and uploading videos on behalf of users.”
Malicious actors could have used the disclosed deeplink verification bypass vulnerability in conjunction with an HTTP request authentication method to compromise TikTok accounts.
Experts determined that the vulnerability affected both TikTok versions: the East and Southeast Asia release (com.ss.android.ugc.trill) and the global one (com.zhilliaoap.musically). On Google’s Play Store alone, the apps have a combined 1.5 billion installations.
TikTok was informed of the flaw in February 2022, and quickly released a fix. Microsoft issued a brief list of recommendations to stay safe against this attack and similar ones:
Specialized solutions like Bitdefender Mobile Security can help you fend off new and existing security threats with features like:
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.View all posts
May 16, 2023
March 10, 2023
May 30, 2023
March 07, 2023
November 18, 2022